Victims of a massive global hacking of Microsoft’s e-mail server software, estimated at tens of thousands by cybersecurity responders, rushed Monday to defend infected systems and try to lessen the chances that intruders could steal data or hinder your networks.
The White House has described the hacking as an “active threat” and said senior national security officials were targeting it.
The breach was discovered in early January and was attributed to Chinese cyberespies targeting US policy think tanks. Then, in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, who supported the initial breach. Victims manage the full spectrum of organizations that manage email servers, from mom-pop retailers to law firms, city governments, health care providers, and manufacturers.
Although piracy does not pose the kind of threat to national security as the most sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, may be an existential threat to victims who did not install the patch in time and who now have hackers on their systems. Hacking poses a new challenge for the White House, which, while preparing to respond to SolarWinds ’non-compliance, must fight a formidable and very different threat from China.
“I would say it’s a serious threat to economic security, because many small businesses out there can literally destroy their business through a targeted ransomware attack,” said Dmitri Alperovitch, former technical director of cybersecurity company CrowdStrike .
He accuses China of the global wave of infections that began on February 26, although other researchers say it is too early to attribute them with confidence. It’s a mystery how hackers found out about the initial breach because no one knew except some investigators, Alperovitch said.
Once the patch was released, a third wave of infections began, which usually occurs in these cases because Microsoft dominates the software market and offers a single point of attack.
Cybersecurity analysts trying to gather a full picture of the hack said their analyzes match the figure of 30,000 U.S. victims released Friday by cybersecurity blogger Brian Krebs. Alperovitch said an estimated 250,000 victims worldwide.
Microsoft did not want to say how many customers it believes are infected.
David Kennedy, CEO of cybersecurity company TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
“Anyone who had Exchange installed was potentially vulnerable,” he said. “They’re not all, but a big percentage.”
Katie Nickels, intelligence director for cybersecurity company Red Canary, warned that installing patches will not be enough to protect those who are already infected. “If you update the patch today, that will protect you, but if opponents are already in your system, you have to be careful,” he said.
A smaller number of organizations were the subject of the initial intrusion by hackers who took data, stole credentials or scanned within networks and left behind doors to universities, defense contractors, law firms and centers. of research into infectious diseases, the researchers said. Among those Kennedy has been working with are manufacturers concerned about intellectual property theft, hospitals, financial institutions and managed service providers hosting multiple corporate networks.
“On the scale of one to ten, this is a 20,” Kennedy said. “It was basically a skeleton key to open any company that had this Microsoft product installed.”
Asked for comment, the Chinese embassy in Washington noted Foreign Ministry spokesman Wang Wenbin’s statements last week that China “strongly opposes and fights cyberattacks and cyber theft in all of them.” forms ”and warned that the attribution of cyberattacks should be based on evidence and not“ baseless allegations ”.
The hacking did not affect Microsoft 365 cloud-based collaboration and email systems that favor Fortune 500 companies and other organizations that can provide quality security. This highlights what some in the industry lament as two computer classes: security “has” and “doesn’t have”.
Ben Read, Mandiant’s director of analysis, said the cybersecurity firm has not seen anyone take advantage of the hack to make financial gains, “but for people who are affected by time, it is essential to fix this problem “.
This is easier said than done for many victims. Many have skeletal IT staff and cannot afford an emergency response in cybersecurity, not to mention the complications of pandemic.
Solving the problem is not as simple as clicking an update button on your computer screen. It requires updating an organization’s so-called full Active Directory, which lists email users and their respective privileges.
“Removing the email server is not something you do lightly,” said Alperovitch, who chairs the nonprofit Silverado Policy Accelerator think tank.
Tony Cole of Ativo Networks said the huge number of potential victims creates a perfect “smokescreen” for hackers in nation states to hide a much smaller list of intended targets by linking cybersecurity officials already excessively stretched. “There are not enough incident response teams to handle all of this.”
Many experts were surprised and perplexed by the way the groups rushed to infect the server facilities just before the patch version of Microsoft. Kennedy, of TrustedSec, said it took Microsoft too long to pull out a patch, though he doesn’t think he should have notified people before the patch was ready.
Steven Adair of cybersecurity company Volexity, which alerted Microsoft to the initial intrusion, described a “massive, indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many countries. different, (including) criminal actors “.
The Security and Infrastructure Agency for Cybersecurity issued an urgent alert about hacking on Wednesday and National Security Adviser Jake Sullivan tweeted about it the following night.
But the White House has not yet announced any specific initiatives to respond.